Simple Guide to do Brute Force Login Using Burp Suite
“Disclaimer: This is not Hacking Tutorial, this just for fun and educational only. Any violence because of this, is beyond my responsibility”
Brute force is a hacking technique to do various combinations with a trial and error approach to break systems. This technique could be automated using some programs. I wrote “Instagram Brute Force Attack Using Python” two years ago. Today Instagram was already securing the login page, so the technique is obsolete. But I don’t know why many people still read that page. Thanks.
Okay, I would like to share how to do brute force login using a burp suite software in this story. Well, burp suite is a tool for a penetration tester to test the security of applications, especially web applications. The explanation for this software is beyond this story.
The way to do brute force using the burp suite is very simple, but I believe many people still don’t know how to do this. Stttt, I can say that many sites are still vulnerable to brute force. Okay, at the end of the section, I will also discuss securing your apps from brute force.
The Workflow
This image below contains what will do in big picture.
We will use burp suite to send usernames and passwords to login pages. This process is automated and could save time for us to do other things when doing penetration testing.
The preparation
Here are the lists of applications you should have to do this technique:
1. Burp suite –This story’s essential tools to brute force. It doesn’t matter if you are using a community or professional version. It only needs your intentions to start and follow this technique until done.
2. Wordlists — Lists of combinations for fulfilling the username and password. I would recommend the SecLists wordlist that you could access from their GitHub here.
But because the repo is too big for this short article, I already remake their repos there. You just provided me with username and password wordlists. Download the files and save them on your local computer.
3. Target — please use a legal target; the implementation in illegal ways is beyond my responsibility. The legal target such as DVWA (Damn Vulnerable Web Apps)
Okay, I already created a sandbox environment that runs Damn Vulnerable Web Applications that I could access using my local network (http://192.168.43.94/dvwa/login.php)
The Technique
Let’s go to the technique of doing a brute force.
1. Open burp suite and start the browser (Target Tab > Open Browser).
2. Access the target using the browser provided by the burp suite; if you observe, the burp suite will record your traffic in the browser. It means the browser is connected to the software.
3. Login the dvwa account, username “admin” password “password” and go to the Brute Force section.
4. Fill in the username and password form but don’t press login, here I fill the username ‘user’ and password ‘1234’.
5. Go to the Proxy tab in your burp suite and click the “intercept is off” to activate it and become “intercept is on” like this.
6. Back to the browser again, click login and look at the burp suite; the traffic will be recorded.
7. Right click on the burp suite, choose sent to intruder.
8. Go to the intruder tab, and before making changes to anything, click clear here to remove the “§” sign.
9. All the “§” signs will be gone, and it will become like this.
10. Next, hover on username and click add to add the “§” sign there.
11. Do the same thing for the password like this. Do it sequentially; I will tell you why this is important later.
12. Because we are going to brute force in more than one parameter (username and password), choose the Cluster bomb in attack types.
13. Next, go to the Payloads section, and look at the Payload set below; it will consist of two parameters, the first username and the second password. It is based on which position you add first.
14. In the Payload set, you can enter the parameter manually or simply click load the file you download in my repo. As I said, the first parameter is the username, and the second is the password. The image below shows that I load the top-usernames into the first Payload.
15. The output will be like this, and we can manually add it.
16. Next, we put the default password in the second parameter.
17. The bullet is already loaded into the weapon but before execution. See again; if you follow the steps correctly, it will show how many requests will be happened.
18. The brute force is starting, and it will take time.
19. Look, everything is done below; the sign your brute force is a success or not is in the length section; if it shows a different length, it means the attack was a success.
20. Because the length is different, look at the response or try login in using that account.
Congratulations, you are already making a brute-force attack.
The Protection
We can defend against all attacks if we know the right ways. Brute force is a kind of trial and error project, and it’s time & resource consuming. There are several ways to prevent this attack:
- Add more layer security to the web such as tokenizer in username and password.
- Add login limitations.
- Add encoding in at the input parameter.
- Etc
The protection above will make the attacker think twice about doing this kind of attack.
The Conclusions
In this story, I already told about how to use brute force using the burp suite. Although this tutorial is implemented in dvwa, I would say many sites still don’t implement security from brute force attacks. So you could use these ways mostly everywhere. I hope you enjoy and understand this article. Thanks for reading. Happy hacking. 😈
“Disclaimer: This is not Hacking Tutorial, this just for fun and educational only. Any violence because of this, is beyond my responsibility”
